Data Processing Agreement (DPA) - Vora
Version: 3.2.0 Effective Date: 13 May 2026 Last Updated: 26 May 2026 Authoritative Language: Italian. This English version is a courtesy translation of dpa.it.md. In case of conflict, the Italian version prevails.
Data processing agreement entered into under Article 28 of Regulation (EU) 2016/679 ("GDPR") and Articles 28 and 29 of Italian Legislative Decree 30 June 2003 no. 196 ("Italian Privacy Code") as amended by Legislative Decree 10 August 2018 no. 101, and - for Customers established in third jurisdictions or processing data of data subjects resident therein - under the equivalent regulatory institutes provided by local laws (UK GDPR + DPA 2018; Brazilian LGPD - processing agreement under Articles 35-36; CCPA Service Provider Agreement; PIPEDA processing contracts; etc.). The SCC Annex dpa-annex-sccs.en.md constitutes an integral and substantial part of this DPA.
BETWEEN
Vora S.r.l. (the "Processor" or the "Company"), registered office Viale Certosa 218, 20156 Milan (MI), Italy, Tax Code / VAT IT14762180967, REA Milan (registration pending), represented by its legal representative pro tempore;
AND
The Customer organisation, identified at Platform registration by the data provided by its authorised representative ("Controller" or "Customer");
(jointly: the "Parties").
Recitals
A) The Company provides the Customer with the "Vora" SaaS platform governed by the Customer Terms of Service version 3.1.0 (customer-tos.en.md), of which this DPA constitutes an integral and substantial part.
B) In providing the Service, the Company processes personal data on behalf of the Customer as data processor under Article 28 GDPR and the equivalent institutes (LGPD operador; CCPA service provider; UK GDPR processor; PIPEDA third-party processor; etc.).
C) The Parties intend to govern their mutual rights and obligations regarding personal-data processing in accordance with the provisions below, compliant with the requirements of Article 28(3) GDPR and - for international transfers - of the SCC Annex.
1. Definitions
Reference is made to the definitions in Article 4 GDPR (in particular: "personal data", "processing", "controller", "processor", "recipient", "data subject", "personal data breach", "special categories of data") and to the main contract definitions in customer-tos.en.md Article 1. Equivalent definitions of local laws (UK GDPR, LGPD, CCPA, PIPEDA) apply mutatis mutandis to the processing of personal data of data subjects resident in the relevant jurisdictions.
GDPR definitions prevail in case of interpretive conflict.
2. Subject Matter, Duration, Nature, Purposes of the Processing
2.1 Subject matter. Processing covers the personal data of Platform End Users (Participants, voters, idea authors, reward winners) and of the Customer's collaborators operating on the Platform, collected and managed through the Vora Service, regardless of the data subject's jurisdiction of residence.
2.2 Duration. The processing lasts for the term of the main Contract, with return/erasure terms set out in Article 11 of this DPA.
2.3 Nature. Processing carried out by automated electronic means, including operations of collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, communication, comparison, interconnection, restriction, erasure and destruction (Article 4(2) GDPR).
2.4 Purposes. The purposes of processing "on behalf of the Controller" include:
a) provision of Platform functionalities: user account, idea submission, voting, blockchain certification of votes, Idea Challenge management, reward distribution;
b) processing ancillary to Controller's purposes regarding Promotional Initiatives, in every jurisdiction in which the initiative is offered or whose participants are resident - see Annex B for the multi-jurisdiction summary (D.P.R. 430/2001 in Italy; Gambling Act 2005 and CAP Code in the UK; FTC Act and state laws in the US; Lei 5.768/1971 in Brazil; etc.). It is understood that the Customer is and remains the sole promoter / sponsor / organisateur / Veranstalter / organizador under the applicable law of its jurisdiction and bears in its own name the regulatory, tax and consumer-protection obligations;
c) delivery of transactional notifications to End Users on behalf of the Controller (e.g., vote confirmation, reward-winning notification, proposal-rules change);
d) backup, recovery and business continuity management in connection with the Service.
For the avoidance of doubt, the Company's promotional use of social-media handles, names and content on its own official channels under Article 12-bis of the Customer Terms of Service and Article 3.5 of the End-User Terms is carried out by the Company as an independent controller for its own purposes and does not form part of the processing instructions or the processor mandate under this DPA.
3. Categories of Personal Data and Data Subjects
3.1 Categories of data subjects:
- End Users / Participants of the Customer's public content on the Platform, wherever resident;
- Customer's collaborators (administrators of the organisation space);
- recipients of the Customer's promotional communications.
3.2 Categories of personal data:
- identification data: name, surname (optional), email, possibly username / handle;
- profile data: language, time zone, profile picture (if uploaded), badges, XP level;
- interaction data: votes cast, ideas submitted, comments, participations, timestamps;
- technical data: IP address, user-agent, session cookies;
- image data (if uploaded): photos attached to ideas, encrypted at-rest with application-layer AES-256-GCM;
- reward data: type, value, access codes, delivery address (only if necessary for a physical prize).
3.3 Special categories of data (Article 9 GDPR; sensitive personal information CCPA; dados pessoais sensíveis LGPD; special category data UK GDPR): standard processing does not include special categories. Where the Customer decides to collect such data, the Customer must give the Company prior notice and apply the heightened measures provided by Articles 9 and 10 GDPR and Article 2-sexies of the Italian Privacy Code, as well as - where applicable - the equivalent rules of other jurisdictions (CCPA sensitive-PI limitations; LGPD Article 11). The Company reserves the right to refuse the processing where adequate measures are not ensured.
4. Specific Roles and Responsibilities
4.1 Customer as Controller. The Customer, acting as data controller under Article 4(7) GDPR (and equivalent qualifications - LGPD controlador; CCPA business; PIPEDA organisation):
a) determines the purposes and means of processing within its Platform space;
b) warrants having an appropriate legal basis (Article 6 GDPR; Article 9 where relevant; CCPA legitimate business purpose; LGPD legal bases Articles 7-11; etc.) for every processing of personal data;
c) provides data subjects with the privacy notice under Articles 13-14 GDPR (and equivalents - CCPA privacy notice; PIPEDA notice; LGPD informação ao titular Article 9), indicating the Company as Processor and linking this DPA;
d) collects and documents any required consents under Article 7 GDPR (including explicit consent for marketing purposes or for opt-in voter-identity sharing; as well as CCPA prominent disclosure for sale/share, where applicable; COPPA verifiable parental consent for under-13s; etc.);
e) responds to data-subject requests (Articles 15-22 GDPR and equivalent rights - CCPA right to know/delete/correct/opt-out, LGPD Article 18, UK GDPR, PIPEDA, etc.) and maintains the records of processing under Article 30 GDPR (or equivalent - UK GDPR records of processing; LGPD Article 37).
4.2 The Company as Processor. The Company, acting as processor under Articles 4(8) and 28 GDPR (and equivalent qualifications - LGPD operador; CCPA service provider; UK GDPR and PIPEDA processor):
a) processes data solely on behalf of the Customer and per the Customer's documented instructions, including instructions regarding extra-EU transfers (see Article 8 of this DPA and the SCC Annex);
b) ensures data confidentiality, also after termination of the relationship;
c) adopts the security measures set out in Article 6 of this DPA;
d) assists the Customer in compliance with Articles 32-36 GDPR (DPIA, breach notification, prior consultation) and the equivalents (UK GDPR DPIA; CCPA risk assessment for sensitive PI; LGPD RIPD - relatório de impacto);
e) cooperates with the Customer in handling data-subject requests (see Article 5);
f) makes available to the Customer the documentation necessary to demonstrate compliance with the processing (Articles 28(3)(h) GDPR and Article 9 of this DPA).
4.3 Co-Controllership - Voter Identity Sharing. When the Customer's Space Owner activates the opt-in voter-identity-sharing feature (Vote.share_identity_with_org), the Company and the Customer act as co-controllers under:
- Article 26 GDPR for EU/EEA data subjects;
- equivalent co-controllership rules for UK (UK GDPR Article 26), Brazilian (LGPD - co-controladores), Californian (business-to-business relationship under CCPA with sharing opt-in), Canadian (PIPEDA joint accountability) data subjects and other applicable jurisdictions,
limited to "explicit consent collection + transmission of identification data to the promoter". The split of responsibilities is as follows:
- The Company: manages the consent-collection interface, records consent in the
ConsentRecordmodel, exposes the access endpoints to the promoter (/proposals/<id>/voters/); - Customer: defines the purpose for which shared data will be processed once received, provides the data subject with additional information under Article 13 GDPR (and equivalents) on its subsequent processing;
- both Parties are jointly and severally liable to the data subject solely for the consent-collection and transmission phase.
The essence of the co-controllership agreement is made available to the data subject in the privacy notice published at privacy-policy.en.md § 2.3.
5. Assistance to the Controller on Data-Subject Requests
5.1 The Company assists the Customer, through appropriate technical and organisational measures, in fulfilling the obligation to respond to data-subject requests under Articles 15-22 GDPR and equivalent rights.
5.2 Requests received directly by the Company but relating to Customer processing are forwarded to the Customer within five (5) business days, with a courtesy communication to the data subject as to the responsible party. The Company does not respond on the merits.
5.3 The Company makes available to the Customer, via self-service tools in the administrative console or via support email at privacy@voiceofthenewera.com, the functionalities to:
a) export a data subject's data in JSON / CSV format (Article 20 GDPR - portability; LGPD Article 18 V; UK GDPR right to data portability; CCPA right to know);
b) delete a data subject's data from its space (Article 17 GDPR; CCPA right to delete; LGPD Article 18 VI; PIPEDA equivalent), subject to Article 6 on blockchain entries;
c) restrict or block processing of a data subject (Article 18 GDPR; CCPA opt-out of automated decision-making; LGPD Article 18);
d) rectify inaccurate data (Article 16 GDPR; CCPA right to correct; LGPD Article 18 III).
5.4 For complex requests not manageable via self-service, the Company provides reasonable assistance within ten (10) business days, without prejudice to the maximum deadline applicable to the Controller (30 days GDPR; 45 days CCPA; 15 days LGPD; without undue delay in other jurisdictions).
6. Security Measures (TOMs under Article 32 GDPR and equivalents)
6.1 Technical measures.
a) At-rest encryption:
- AES-256 at AWS level (KMS-managed) for Aurora volumes and S3 objects;
- application-layer AES-256-GCM for user images in PostgreSQL BYTEA (master key IMAGE_ENCRYPTION_MASTER_KEY in AWS SSM Parameter Store SecureString);
- application-layer AES-256-GCM for sensitive vote data (master key VOTE_ENCRYPTION_MASTER_KEY in SSM).
b) In-transit encryption: TLS 1.2 minimum, TLS 1.3 where supported; HSTS enabled; cipher suites ECDHE-AES-GCM / ChaCha20-Poly1305.
c) Access control: AWS IAM least-privilege; MFA mandatory for the Company administrative personnel; network segregation (Aurora in private subnet with no Internet route); secrets in SSM with KMS encryption.
d) Audit log: structured JSON logging (structlog); CloudWatch Logs with 90-day retention; application-level personal-data access logging; CloudTrail audit for infrastructure operations.
e) Backup: - daily automatic Aurora snapshots, 7-day retention; - manual pre-deploy snapshots, 30-day retention; - daemon EC2 volumes: snapshots via Data Lifecycle Manager (DLM), 7-day retention; - restore tested at least every six months.
f) Resilience: multi-AZ serverless architecture (App Runner, Lambda, Aurora with automatic failover); rate limiting (120 req/min anonymous); application-level abuse protection (input validation, parameterised queries, ORM).
g) Code security: mandatory review; dependency scanning (pip-audit, npm audit); Playwright E2E tests; development environment segregated from production data.
6.2 Organisational measures.
a) Contractual NDA for all collaborators accessing production data;
b) "Need-to-know" access: production data are accessible only to indispensable personnel, under explicit and recorded authorisation;
c) Training: periodic privacy + security training for technical personnel;
d) Pseudonymisation: development / test datasets are produced from anonymised / synthetic exports, never from integral production copies;
e) Documented procedures: incident response, business continuity, data-subject request handling, DSA / UK OSA / NetzDG / Marco Civil notice handling.
6.3 Review of measures. The Company reviews security measures at least annually and upon significant architectural changes. The Customer may request updated information at privacy@voiceofthenewera.com.
7. Sub-Processors
7.1 The Customer generally authorises the Company to engage sub-processors for the processing, under Article 28(2) GDPR and equivalents.
7.2 The up-to-date list of currently designated sub-processors is set out in privacy-policy.en.md § 6 and in the SCC Annex. Summary:
| Sub-processor | Processing | Registered office | Technical location |
|---|---|---|---|
| Amazon Web Services EMEA SARL / AWS Inc. | Compute, database, storage, secrets | Luxembourg / USA | EU-West-1 (Ireland) primary + US operational access |
| Resend Inc. | Transactional email delivery | USA (Delaware) | USA (EU-region verification at publish) |
| Google Ireland Ltd. + Google LLC | Google OAuth 2.0 | Ireland + USA | EU + USA |
| Anthropic PBC (if AI active) | AI models for summarisation | USA | USA |
7.3 The Company ensures each sub-processor is bound by contractual obligations substantially equivalent to those provided in this DPA, in compliance with Article 28(4) GDPR and - for extra-EU sub-processors - with the SCCs of the SCC Annex dpa-annex-sccs.en.md.
7.4 In case of addition or replacement of a sub-processor, the Company notifies the Customer of the change with at least 30 days' advance notice by email to the registered administrative address. The Customer may object on reasoned grounds within 15 days of notification, with data-protection justifications. In case of well-founded objection that cannot be overcome with supplementary technical measures, the Customer may terminate the Contract without penalty.
7.5 The Company remains directly liable to the Customer for the sub-processors' activities, under Article 28(4) GDPR.
8. International Personal Data Transfers
8.1 The Company processes the Customer's personal data primarily within the European Economic Area.
8.2 Extra-EU/EEA transfers are governed by the SCC Annex dpa-annex-sccs.en.md, which incorporates by reference:
a) the Standard Contractual Clauses of the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module 3 (processor-to-processor);
b) the UK International Data Transfer Addendum (IDTA) B1.0 (21 March 2022) for UK → third-country transfers;
c) the Swiss-adapted SCCs under the FDPIC declaration of 27 August 2021 for CH transfers;
d) the LGPD-specific contractual clauses under Article 33 of Lei 13.709/2018 for transfers from Brazil;
e) the CCPA non-sale / non-share declaration for data of California data subjects.
8.3 For each extra-EU sub-processor, the Company implements a Transfer Impact Assessment (TIA) compliant with CJEU judgment C-311/18 ("Schrems II") and with supplementary technical and organisational measures.
8.4 TIA documentation is made available to the Customer upon request.
9. Audit Right (Article 28(3)(h) GDPR)
9.1 The Customer has the right to verify the Company's compliance with this DPA via:
a) self-assessment questionnaires that the Company undertakes to complete within 30 days of written request;
b) certification reports (e.g., ISO 27001, SOC 2) of the Company or its main sub-processors (AWS), where available;
c) on-site or remote audit, with at least 30 days' prior notice, with frequency not exceeding once a year (save for documented breach cases) and during business hours, with confidentiality of results under NDA to be signed before the audit.
9.2 The reasonable costs of the audit are borne by the Customer, save where the audit identifies a documented breach of the DPA by the Company, in which case they remain the Company's burden.
9.3 The Company publishes an annual transparency report on privacy and security available upon request at privacy@voiceofthenewera.com.
10. Breach Notification
10.1 The Company notifies the Customer, without undue delay and in any case within 48 hours of becoming aware, of any personal data breach within the meaning of Article 33(2) GDPR (and equivalents - UK GDPR; LGPD; Australian Notifiable Data Breaches scheme; CCPA breach notification; etc.) concerning data processed on behalf of the Customer.
10.2 The notification contains at least:
a) description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned;
b) name and contact of the Company reference point for further information;
c) description of the likely consequences;
d) measures taken or proposed to remedy and mitigate the effects.
10.3 The Company cooperates with the Customer in compliance with the notification to the competent supervisory authority (Article 33(1) GDPR - within 72 hours for EU/UK; tempo razoável for Brazilian ANPD; etc.) and in any communication to data subjects (Article 34 GDPR and equivalents), providing the necessary technical information.
10.4 The Company's internal incident-response procedure is documented in docs/06-compliance/concorso-a-premi-playbook.md and in internal incident-response policies.
11. Return and Erasure at Contract Termination
11.1 Upon termination of the Contract for any reason, the Company, at the Customer's choice expressed within 30 days of termination, proceeds to:
a) return to the Customer all personal data processed on its behalf in structured format (encrypted JSON / CSV / SQL dump export);
b) delete all personal data processed on its behalf from production systems and backups, with cyclical backup retention limited to 30 days from termination, until automatic overwrite.
11.2 Erasure does not apply to on-chain data (blockchain-certified vote hashes), by virtue of the intrinsic immutability of the distributed ledger. The Company deletes, in any case, every off-chain datum allowing on-chain hash to be linked to an identified or identifiable data subject, consistently with Italian DPA, EDPB and international best-practice guidance.
11.3 Erasure does not apply to data the Company is required to retain by law (Article 17(3)(b) GDPR - invoicing, accounting, anti-fraud, security), in any applicable jurisdiction.
11.4 The Company issues the Customer, upon request, a certification of erasure under Article 28(3)(g) GDPR.
12. Liability and Limitation
12.1 Each Party's liability for breach of this DPA is governed by the main Contract customer-tos.en.md, in particular Articles 6 (Limitation of Liability) and 7 (Indemnification).
12.2 In any case, the Company's direct liability to data subjects and supervisory authorities for the Company's own conduct (e.g., breach of the processor's obligations) is not limited: Article 82 GDPR, Article 152 of Italian Legislative Decree 196/2003 and the equivalent rules of applicable jurisdictions apply in full.
13. Final Provisions
13.1 In case of conflict between this DPA and the main Contract, the DPA's provisions prevail solely on personal-data processing matters.
13.2 Forum / Arbitration: refer to Article 13 of the main Contract customer-tos.en.md (exclusive forum of Milan for EU/EEA/UK/CH Customers; CAM Milan arbitration for non-EU/EEA/UK/CH Customers; governing Italian law).
13.3 This DPA, together with its SCC Annex, is deemed automatically accepted by the Customer upon acceptance of the Customer Terms of Service version 3.1.0.
Annex A - Summary of Categories of Data per Purpose
(Reference is made to the table in Article 3 and § 4 of the privacy notice privacy-policy.en.md.)
Annex B - Promotional Initiatives by Jurisdiction (replaces the Italian-only v3.0 Annex B)
Where the Customer launches, through the Platform, a Promotional Initiative (under any qualification in any jurisdiction), the personal data of Participants collected and processed on behalf of the Customer are processed for the following ancillary purposes, based on the jurisdiction of Participants' residence and/or the territory in which the initiative is offered:
| Jurisdiction of Customer / Participants | Sector regulation | Ancillary processing purpose |
|---|---|---|
| Italy | D.P.R. 26 October 2001 no. 430 (prize contests and operations) | Participation registration; winner extraction/selection; transactional communication; generation of notarial / CCIAA closing deed under Art. 9; evidence retention under Arts. 9 and 11 |
| EU / EEA (beyond Italy) | Directive 2005/29/EC; Directive 2011/83/EU; ePrivacy; national rules | Participation registration; winnings communication; compliance with transparency requirements |
| United Kingdom | Gambling Act 2005 Sched. 2; CAP Code Sec. 8; CPUT 2008; UK GDPR | Registration of free draw / prize competition; bonding where required; evidence retention |
| United States - federal | FTC Act; CAN-SPAM; TCPA; COPPA; 26 U.S.C. Form 1099-MISC | Endorsement-Guides evidence retention; no-purchase-necessary entry management; 1099-MISC issuance for prizes ≥ USD 600 by the Customer |
| United States - state | NY GBL § 369-e; FL Stat. Ch. 849.094; RI Gen. Laws § 11-50; CA B&P § 17539; AZ § 13-3311; TN § 47-18-120; etc. | State authority registration; state-level bonding; evidence retention for State Attorneys General |
| Germany | UWG §§ 3, 5, 5a, 7; BDSG; TTDSG | Promotional transparency; compliance with Direktmarketing |
| France | Code de la consommation L121-1 / L121-36 et seq.; CNIL | Registration of jeu-concours; CNIL notice |
| Spain | Ley 13/2011; LOPDGDD; RDL 1/2007 | Promotion compliance and consumer protection |
| Brazil | Lei 5.768/1971 + Decreto 70.951/1972 (SECAP/CAIXA); CDC; LGPD | SECAP authorisation; evidence retention; LGPD compliance for Brazilian participants |
| Canada | Competition Act s. 74.06; Criminal Code s. 206; PIPEDA; Quebec RACJ | Mathematical skill question for no-purchase entries; evidence retention; PIPEDA compliance |
| Australia | NSW Community Gaming Act 2018; VIC VCGLR; Australian Consumer Law; Privacy Act 1988 | State registration; evidence retention; APP compliance |
| Other jurisdictions | Catch-all (Switzerland, Japan, India, Singapore, UAE, South Africa, etc.) | Compliance with applicable local rules |
In all cases listed above, the promoter / sponsor / organisateur / Veranstalter / organizador under the applicable law is and remains the Customer. The Company acts exclusively as data processor and technical Platform provider.
Vora S.r.l. - Viale Certosa 218, 20156 Milan (MI), Italy - VAT: IT14762180967 - privacy@voiceofthenewera.com
Source document in markdown: docs/legal/dpa.en.md (v3.1.0 - 13 May 2026).